[go: up one dir, main page]

WO2018158750A1 - Systèmes et procédés informatiques - Google Patents

Systèmes et procédés informatiques Download PDF

Info

Publication number
WO2018158750A1
WO2018158750A1 PCT/IB2018/051362 IB2018051362W WO2018158750A1 WO 2018158750 A1 WO2018158750 A1 WO 2018158750A1 IB 2018051362 W IB2018051362 W IB 2018051362W WO 2018158750 A1 WO2018158750 A1 WO 2018158750A1
Authority
WO
WIPO (PCT)
Prior art keywords
area
computer
personal information
partition
implemented method
Prior art date
Application number
PCT/IB2018/051362
Other languages
English (en)
Other versions
WO2018158750A9 (fr
Inventor
Graeme SPEAK
Neil Richardson
Original Assignee
Gopc Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2017900748A external-priority patent/AU2017900748A0/en
Application filed by Gopc Pty Ltd filed Critical Gopc Pty Ltd
Priority to AU2018228454A priority Critical patent/AU2018228454B2/en
Priority to US16/490,794 priority patent/US20200004951A1/en
Priority to EP18761164.5A priority patent/EP3590060A4/fr
Publication of WO2018158750A1 publication Critical patent/WO2018158750A1/fr
Publication of WO2018158750A9 publication Critical patent/WO2018158750A9/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/42Bus transfer protocol, e.g. handshake; Synchronisation
    • G06F13/4282Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0637Modes of operation, e.g. cipher block chaining [CBC], electronic codebook [ECB] or Galois/counter mode [GCM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2213/00Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F2213/0042Universal serial bus [USB]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees

Definitions

  • the present invention concerns computing systems and methods.
  • a security device for providing a secure financial interface allowing a user to access his or her bank account.
  • a computer implemented method comprising: (A) providing at least one mobile electronics device, each device having a data store comprising a first area and a second area; the second area being distinct from the first area to assist with securing the first area; the first area being a system area and the second area for storing personal information; and (B) in connection with each mobile electronic device: associating personal information with computer identifying information to provide special personal information; storing the special personal information in the second area; and retrieving the personal information by: (i) reading the special personal information from the second area; and (ii) applying the computer identifying information to the special personal information.
  • the first area comprises a locked down system area; the second area comprises an authentication area and the personal information comprises authentication data.
  • the first area comprises a read-only partition
  • the second area comprises a read-write partition
  • the personal information comprises password, wallet or key data.
  • the personal information comprises personal financial data.
  • the personal information comprises a WIFI network password.
  • each mobile electronic device comprises a dedicated storage device.
  • the dedicated storage device comprises a USB thumb drive.
  • the first area comprises a locked down system area; the second area comprises an authentication area; and the authentication area is no more than 10MB in size.
  • the first area comprises a locked down system area; the second area comprises an authentication area; and the authentication area is no more than 5 MB in size.
  • the first area comprises a locked down system area; the second area comprises an authentication area; and the authentication area is greater than 1MB in size.
  • the first area comprises a locked down system area; the second area comprises an authentication area; and the operating system area is greater than 400MB in size.
  • associating the personal information with the computer identifying information to provide the special personal information comprises encrypting the personal information using the computer identifying information as the encryption password.
  • applying computer identifying information to the special personal information comprises decrypting the special authentication data using the computer identifying information.
  • the personal information comprises a WIFI network password.
  • the first area comprises a locked down operating system area
  • the second area comprises an authentication area
  • the method includes, in connection with each mobile electronic device, booting a computer using the operating system area and, when the computer identifying information corresponds with the computer, automatically logging onto the associated WIFI network using the WIFI password.
  • the first area comprises a locked down operating system area; the second area comprises an authentication area; the operating system area comprises a read-only partition and the authentication area comprises a read-write partition; associating the WIFI network password with the computer identifying information to provide the special authentication data comprises encrypting the WIFI network password using the computer identifying information as the password; and applying computer identifying information to the special authentication data comprises decrypting the special authentication data using the computer identifying information.
  • the computer identifying information is unique to a corresponding host computer such that the personal information of each mobile device is locked to a particular host computer due to the computer identifying information.
  • any changes to the first area are lost when the host computer is powered off or rebooted; and the personal information of the second area is persistent between reboots and power cycles of the host computer.
  • the personal information is encrypted via the Advanced Encryption Standard (AES) with 128 or more bit encryption keys with a cypher block chaining mode of operation.
  • AES Advanced Encryption Standard
  • the computer identifying information comprises a unique hardware identifier.
  • the unique hardware identifier comprises a CPU serial number or network MAC address associated with a corresponding computer.
  • the personal information comprises an electronic wallet.
  • the personal information comprises a block-chain private key.
  • the personal information comprises a block-chain private key for electronic currency.
  • the personal information comprises a private key.
  • a computer implemented method comprising: (A) providing at least one mobile electronics device, each device having a data store comprising an operating system area and an authentication area; the authentication area being distinct from the operating system area to assist with securing the operating system area; the authentication area for storing authentication data; and (B) in connection with each mobile electronic device: associating authentication data with computer identifying information to provide special authentication data; storing the special authentication data in the authentication area; and retrieving said authentication data by: (i) reading the special authentication data from the authentication area; and (ii) applying the computer identifying information to the special authentication data.
  • a computer implemented method comprising the steps of: (A) providing USB devices having a first partition and a second partition; each first partition storing an operating system configured to be loaded upon booting a computer using the USB device; each first partition being a read only partition; each second partition being a read-write partition; (B) in connection with each USB device: encrypting WIFI network password data with computer identifying information that uniquely identifies a computer to provide encrypted WIFI network authentication data; storing the encrypted WIFI network authentication data in the second partition; and retrieving said WIFI network password data by: (i) reading the encrypted WIFI network authentication data from the second partition; and (ii) applying the computer identifying information to the encrypted WIFI network authentication data by using the computer identifying information as a decryption password.
  • a computer implemented system comprising: a plurality of USB devices each having a first partition and a second partition; each first partition storing an operating system configured to be loaded upon booting a computer using the USB device; each first partition being a read only partition; each second partition being a read-write partition; each operating system including: (A) an encryption facility for encrypting WIFI network password data with computer identifying information that uniquely identifies a computer to provide encrypted WIFI network authentication data; (B) a storage facility for storing the encrypted WIFI network authentication data in the second partition; and (C) a retrieval facility for retrieving said WIFI network password data by: (i) reading the encrypted WIFI network authentication data from the second partition; and (ii) applying the computer identifying information to the encrypted WIFI network authentication data by using the computer identifying information as a decryption password.
  • a storage device comprising: a first area and a second area; the second area being distinct from the first area to assist with securing the first area; the first area being a system area and the second area for storing personal information; the first area including: (A) an associator for associating personal information with computer identifying information to provide special personal information; (B) a storage facility for storing the special personal information data in the second area; and (C) a retrieval facility for retrieving said personal information by: (i) reading the special personal information from the second area; and (ii) applying the computer identifying information to the special personal information.
  • a storage device comprising: a first partition and a second partition; the first partition storing an operating system configured to be loaded upon booting a computer using the USB device; each first partition being a read only partition; each second partition being a read-write partition; each operating system including: (A) an encryption facility for encrypting WIFI network password data with computer identifying information that uniquely identifies a computer to provide encrypted WIFI network authentication data; (B) a storage facility for storing the encrypted WIFI network authentication data in the second partition; and (C) a retrieval facility for retrieving said WIFI network password data by: (i) reading the encrypted WIFI network authentication data from the second partition; and (ii) applying the computer identifying information to the encrypted WIFI network authentication data by using the computer identifying information as a decryption password.
  • a computer implemented method comprising: (A) providing a plurality of mobile electronics devices, each device having a data store comprising a first area; (B) providing an external data store external to the mobile electronics devices; each first area being a system area and the external data store for storing personal information; and (C) in connection with each mobile electronic device: associating personal information with computer identifying information to provide special personal information; storing the special personal information in the external data store; and retrieving the personal information by: (i) reading the special personal information from the external data store; and (ii) applying the computer identifying information to the special personal information.
  • the personal information comprises password, wallet or key data.
  • the personal information comprises personal financial data.
  • associating the personal information with the computer identifying information to provide the special personal information comprises encrypting the personal information using the computer identifying information as the encryption password.
  • applying computer identifying information to the special personal information comprises decrypting the special authentication data using the computer identifying information.
  • each first area comprises a locked down operating system area; the second area comprises an authentication area.
  • the mobile electronic devices each comprise a USB devices having a first partition.
  • Each first partition is provided for storing an operating system configured to be loaded upon booting a computer using the USB device; each first partition being a read only partition.
  • personal information is encrypted in the data store via the internet is a state that the encrypted using computer identifying information that identifies the computer allocated to the USB device.
  • a computer implemented method comprising: (i) providing users with user accounts; (ii) providing the users with first virtual machines in association with local electronic devices of the users; (iv) receiving user data from the users where each user is provided with the ability to store data in association with the user account of the user; and (iv) encrypting the user data of each user based on computer identifying information of an associated local electronics device of the user.
  • the computer identifying information of each local electronics device comprises a unique hardware identifier of the local electronics device
  • the method includes storing the unique hardware identifiers the local electronics devices in a data store of encryption keys; and associating the encryption keys with corresponding user accounts.
  • the method includes decrypting the data of each user based on the unique hardware identifier of the associated local electronics device of the user.
  • Figure 1 provides an illustration of a computer implemented method according to a first preferred embodiment of the present invention.
  • FIG 2 provides a schematic illustration of a USB flash drive used in the method shown in Figure 1, the USB flash drive providing a further preferred embodiment.
  • Figure 3 provides an illustration of a computer implemented method according to another preferred embodiment of the present invention.
  • Figure 4 provides an illustration of the working of the method illustrated in Figure 3.
  • Figure 5 provides an illustration of a computer implemented method according to another preferred embodiment of the present invention.
  • Figure 6 provides an illustration of a computer implemented system according to another preferred embodiment of the present invention.
  • FIG 7 provides an illustration of a USB flash drive device used in the system shown in Figure 6, the USB flash drive providing a further preferred embodiment.
  • FIG 1 there is shown a computer implemented method 10 according to a first preferred embodiment of the present invention.
  • the computer implemented method 10 is considered to allow for the advantageous storage of personal information in the form of Wi-Fi login passwords and block chain private keys for use in the provision of a remote desktop.
  • the remote desktop provides dedicated access to an online financial account.
  • the method 10 includes providing a plurality of mobile electronic devices 14.
  • the mobile electronic devices 14 comprise universal serial bus storage devices 16 (USB devices).
  • the USB devices 16 are each dedicated to the provision of data storage and comprise USB flash drives.
  • USB flash drive consists of a small printed circuit board carrying the circuit elements and a USB connector, insulated electrically and protected inside a case which can be carried in a pocket or on a key chain, for example.
  • the USB connector may be protected by a removable cap or by retracting into the body of the drive, although it is not likely to be damaged if unprotected.
  • Most flash drives use a standard type-A USB connection allowing connection with a port on a personal computer, but drives for other interfaces also exist. USB flash drives draw power from the computer via the USB connections.
  • each device 16 provides a data store 18 comprising a first area 20 and a second area 22.
  • the second area 22 is distinct from the first area 20 to assist with securing the first area 20.
  • the first area 20 of each device 16 comprises a locked down system area 24.
  • the second area 26 comprises an authentication area 26 and is provided for storing personal information 28.
  • the first area 20 comprises a read-only partition 30 and the second area 22 comprises a read- write partition 32.
  • the first area 20 can provide a locked down operating system area 24.
  • the read-write partition 32 is utilised as discussed below.
  • a partition comprises a region on a storage device that has been formatted so that an operating system can manage information in each region separately.
  • Various partition types are used by different operating systems.
  • the partitions comprise disk partitions of the dedicate storage devices.
  • the method 10 at block 34 includes associating personal information 28 with computer identifying information 38 to provide special personal information 40.
  • the computer identifying information 38 is used as an encryption key 42.
  • the method 10 includes storing the special personal information 40 in the read-write partition 32,
  • the method 10 includes retrieving the personal information 28 by: (i) reading the special personal information 40 from the second area 22 and (ii) applying the computer identifying information 42 to the special personal information 40.
  • the process of retrieving includes decrypting the special personal information 40 at block 48,
  • the personal information 28 comprises authentication data 28,
  • the second area 22 comprises an authentication area 22 for storing the authentication data 28,
  • the authentication data 28 could comprise password, wallet or key data.
  • password data include WIFI SSID/password pairs for logging into WIFI networks.
  • wallet data include BITCOIN private keys that are able to be used to transfer electronic currency in relation to a publicly accessible ledger.
  • BITCOIN is a crypto currency and payment system based on a peer to peer model where transactions take place between users directly.
  • the BITCOIN blockchain provides a publicly distributed leger where bitcoins comprise units of each transaction.
  • the system is cryptographic requiring the use of keys to validate transactions. Bitcoins are presently created as a reward for computer power that verifies and records bitcoin transaction in the block chain. Users are able to pay for optional transaction fees to miners.
  • the authentication data 28 in other embodiments could comprise a BLOCKCHAIN private key. Keys for providing access to data and information are considered to fall within the expression authentication data 28, In the case of Bitcoin, without a key, a transaction cannot be signed and therefore the currency cannot be spent.
  • the personal information could comprise personal financial data including bank account numbers and transactions. Other applications include encrypted wallets of digital currency.
  • the personal information 28 comprises a WIFI network password. This relates to the embodiment shown in relation to Figure 3.
  • Figure 3 illustrates a computer implemented method 60 according to another preferred embodiment of the present invention.
  • the method 60 at block 62 provides a number of USB flash drives 65 each having a first partition 66 and a second partition 68.
  • Each first partition 66 comprises a read only partition 66 storing an operating system configured to be loaded upon booting a computer using the USB device.
  • Each second partition 68 comprises a read-write partition 68 for storing authentication data 72.
  • the authentication data 72 comprises WIFI network password data 72.
  • the method 60 at block 74, in connection with each USB device 65 includes encrypting WIFI network password data 72 with computer identifying information 76 that uniquely identifies a computer that is associated with the corresponding USB device 65.
  • the computer identifying information 76 comprises the computer motherboard serial number of the corresponding computer.
  • the computer motherboard serial number is read by the operating system stored on the first partition 66 during booting of the operating system on the host computer.
  • the hardware motherboard serial number 78 forms the encryption key 78 that is used at block 74.
  • the encryption uses the encryption key 78 to encrypt the WIFI network password data 72 to provide encrypted passwords.
  • Various encryption techniques including AES encryption are able to be readily used in provision of the method 60.
  • Block 74 provides encrypted WIFI network authentication data 80.
  • the method 60 includes storing the encrypted WIFI network authentication data 80 in the second partition of the corresponding USB device 65.
  • the method 10 includes retrieving the WIFI network password data by reading the encrypted WIFI network authentication data 80 from the second partition 68 or the corresponding USB device 65 and applying the encryption key 78 (as a decryption key 78) to the encrypted WIFI network authentication data 80.
  • the computer identifying information 76 is used as a decryption password.
  • Each of the USB flash devices 65 is used to store the WIFI password of a WIFI network that the corresponding computer is able to connect to.
  • each USB device 65 in effect provides an authentication partition 68.
  • Each USB device 65 provides a dedicated storage device that stores an operating system in a read only partition and stores authentication data for WIFI networks in an authentication partition. This is performed in the context of the provision of a secured remote desktop for banking operations. As discussed, the locked down system environment provided by the operating system is directed toward preventing third party attacks. The operating system provides no more than is necessary for remote desktop services with authentication to limit the attack surface.
  • a custom operating system is limited to providing remote protocol functionality that connects to a virtual computer service.
  • the remote protocol functionality may be a custom remote protocol functionality or one of NX, RDP, ICA. These protocols are distinguished in that they have the ability to provide a remote desktop of some form.
  • the remote desktop is limited to providing a banking application running on the remote desktop with only the banking application being accessible by the user.
  • a browser is hosted that can access the bank via the Internet. The bank could of course be connected to by VPN or dialup connection.
  • USB flash devices 65 are distinguished from those described in International patent application PCT/AU2015/050758 by the provision of each USB device having a read- write authentication area where a unique identifier of a corresponding computer is used to encrypt a WIFI password of a WIFI network.
  • the private key does not relate specifically to a network associated with the computer.
  • the nature of the types of information are similar in that both provide a key.
  • an authentication area does not have to be particularly large to store one or more WIFI passwords encrypted using identifiers of computers associated with the corresponding USB device.
  • the authentication area could be between 1 to 4MB for example. In some embodiments, the authentication area is no more than 10MB in size. In other embodiments, the authentication area is no more than 5 MB in size.
  • the size of the partition of the first area may be greater than 400MB in size.
  • the applicant is not presently aware of any systems providing access to say banking information through a remote desktop by booting a USB device where personal information is associated with the computer identifying information to provide encrypted personal information. Nor is the applicant aware of such systems decrypting special authentication data using the same computer identifying decryption password where the personal information comprises a WIFI network password.
  • FIG 4 provides an illustration of the working of the method 60 illustrated in Figure 3.
  • a number of computers 86 and several WIFI networks 88 A laptop 90 comprises one of the computers 86 and is moved along a path 92.
  • the motherboard identifier of the laptop computer will however be used to encrypt the various WIFI passwords and store them in the read- write partition of the corresponding USB device.
  • the USB is stolen or lost, it will not be able to be used to connect ot the WIFI networks 94, 96 and 98 without the laptop 90. This is considered to be particularly advantageous in the context of USB devices providing locked down operating system that provide remote desktops for banking operations.
  • FIG. 5 illustrates a method 100 according to a further embodiment of the present invention.
  • the method 100 comprises providing a number of USB devices that can be plugged into a number of computers.
  • the USB devices are associated with one or more computers using a registration method providing access to online bank accounts only if the USB is used to boot those computers.
  • the method 100 advantageously employs the method 60 described above.
  • each USB is used to boot a computer using an operating system partition of the USB device.
  • the operating system obtains a unique identifier from the corresponding computer.
  • the operating system reads encrypted Wi-Fi password information from an authentication partition of the USB device.
  • the Wi-Fi password information is tested by attempting to decrypt the Wi-Fi password information using the unique identifier as a decryption password. If it is determined that the computer identifier is able to decrypt the encrypted Wi-Fi password information, the operating system attempts to log onto the corresponding WIFI network. If the operating system is able to log onto the Wi-Fi network, the operating system commences a Remote Desktop protocol procedure that attempts to provide a Remote Desktop providing dedicated access to a bank account.
  • the method 100 includes booting a computer using the operating system area of a corresponding USB device, when the computer identifying information corresponds with the computer, and then automatically logs onto the associated WIFI network using the WIFI password.
  • the approach of the method 100 is further detailed in figure 5.
  • the computer identifying information is unique to a corresponding host computer with the WIFI network information being effectively locked to a particular host computer due to the computer identifying information.
  • the WIFI network information could comprise sets of WIFI network information each corresponding to a different host computer. A one to one association between the host computer and the USB device is presently preferred in situations requiring high security.
  • the form of the encryption comprises Advanced Encryption Standard (AES) 256-bit encryption keys with a cypher block chaining mode of operation.
  • AES Advanced Encryption Standard
  • the client software consists of a customised GNU/Linux distribution installed and distributed on a USB stick as a Live USB install.
  • the USB stick is partitioned with: (i) a first partition comprising a bootable, read-only FAT32 partition with Operating System files and the bank access remote desktop client software; and (ii) a second Partition comprising a read/write EXT3 partition for storing Wi-Fi passwords.
  • each user selects a Wi-Fi network SSID;
  • the User enters a plain text password into the client software;
  • the software connects to the Wi-Fi SSID with the plain text password;
  • the plain text password is combined with a unique hardware identifier using an encryption algorithm with the hardware identifier comprising the encryption password to produce an encrypted password;
  • the encrypted password is written as a file to the read-write partition;
  • the encrypted password is read from the read-write partition;
  • the encrypted password and unique hardware identifier are passed to a decryption algorithm that uses the unique hardware identifier as a decryption password;
  • the encrypted password and unique hardware identifier are passed to a decryption algorithm that uses the unique hardware identifier as a decryption password;
  • the encrypted password and unique hardware identifier are passed to a decryption algorithm that uses the unique hardware identifier as a decryption password;
  • Wi-Fi passwords are encrypted via the Advanced Encryption Standard (AES) with 256bit encryption keys and CBC mode of operation.
  • AES Advanced Encryption Standard
  • the size of the encryption key and the mode of operation are predetermined. More specifically, Wi-Fi passwords are stored on a EXT3 file system with of a small size (5-10 MB). Wi-Fi passwords are stored in a separate partition to the Live USB operating system files.
  • the unique hardware identifier (such as CPU serial number, or network MAC address) is used as the cypher when encrypting a Wi-Fi password.
  • Wi-Fi passwords persist between reboots of the Live USB system and are locked to a particular host computer. Moving the USB to a different host computer from the one that Wi-Fi password have been saved on does not unlock the plain text version of the encrypted password. Wi-Fi passwords are stored in an AES encrypted form, and not plain text, so are not immediately usable by outside viewers.
  • WIFI network passwords Whilst an embodiment has been described with particular regard to WIFI network passwords, other embodiments may encrypt personal information that is provided in the form of an electronic wallet, a block-chain private key, or other financial information.
  • the computer implemented system 200 includes: a plurality of USB devices 202 each having a first partition 204 and a second partition 206 (See Figure 7). Each first partition 204 stores an operating system 210 configured to be loaded upon booting a computer using the USB device 202. Each first partition 204 comprises a read only partition. Each second partition 206 comprises a read-write partition. Each operating system includes an encryption facility 212 for encrypting WIFI network password data with computer identifying information that uniquely identifies a computer to provide encrypted WIFI network authentication data.
  • Each operating system 210 includes a storage facility 215 for storing the encrypted WIFI network authentication data in the second partition 206.
  • Each operating system 210 further includes a retrieval facility 214 for retrieving said WIFI network password data by: (i) reading the encrypted WIFI network authentication data from the second partition; and (ii) applying the computer identifying information to the encrypted WIFI network authentication data by using the computer identifying information as a decryption password.
  • Each USB device provides a further embodiment comprising: a first partition 204 and a second partition 206 having the encryption facility 212, the storage facility 215 and the retrieval facility 214.
  • the operating system can be considered as providing an associator for associating personal information (the WIFI passwords) with computer identifying information to provide special personal information.
  • a method and system In another embodiment there is provided a method and system.
  • a plurality of mobile electronics devices in the form of USB storage devices.
  • Each device has a data store comprising a first area.
  • the embodiment includes providing an external data store external to the mobile electronics devices.
  • Each first area comprises a system area and in particular an operating system area for running on an authorised host computer.
  • the external data store is provided by an external system such as a cloud based system.
  • the external data store is provided for storing personal information in the form of confidential data such as banking account information.
  • the embodiment includes: in connection with each mobile electronic device: associating personal information with computer identifying information to provide special personal information.
  • the special personal information is stored in the external data store.
  • the personal information is retrieved by: (i) reading the special personal information from the external data store; and (ii) applying the computer identifying information to the special personal information.
  • each USB device uses computer identifying information determined by the operating system when running on a host computer to decrypt the special personal information which in this example comprises banking account information.
  • an system external to each mobile electronics device is used to take the computer identifying information of the host computer when operating system is loaded onto the computer and decrypt the special personal information. This way, the data when stored on the external data store is tied to a computer that is authorised to use the USB device.
  • Each operating system is used in provision of a secured remote desktop for banking operations.
  • the locked down system environment provided by the operating system is directed toward preventing third party attacks.
  • the operating system provides no more than is necessary for remote desktop services with authentication to limit the attack surface.
  • a method including: (i) providing users with user accounts; (ii) providing the users with first virtual machines in association with local electronic devices of the users; (iii) receiving user data from the users where each user is provided with the ability to store data in association with the user account of the user; and (iii) encrypting the user data of each user based on computer identifying information of an associated local electronics device of the user.
  • the local electronic device of the user is an authorised device and the computer identifying information of the local electronics device is used the encrypt the user data.
  • each local electronics device comprises a unique hardware identifier of the local electronics device.
  • the method further includes storing the unique hardware identifiers the local electronics devices in a data store of encryption keys; and associating the encryption keys with corresponding user accounts.
  • the method includes decrypting the data of each user based on the unique hardware identifier of the associated local electronics device of the user.
  • the user data comprises financial data.
  • FIG. 8 there is shown a schematic diagram of a computer system 220 that is configured to provide preferred arrangements of systems and methods described herein.
  • the computer system 220 is provided as a distributed computer environment containing a number of individual computer systems 222 (computers/computing devices) that cooperate to provide the preferred arrangements.
  • the computer system 220 is provided as a single computing device.
  • a first one of the computing devices 222 includes a memory facility 224.
  • the memory facility 224 includes both 'general memory' and other forms of memory such as virtual memory.
  • the memory facility 224 is operatively connected to a processing facility 226 including at least one processor.
  • the memory facility 224 includes computer information in the form of executable instructions and/or computer data.
  • the memory facility 224 is accessible by the processing facility 226 in implementing the preferred arrangements.
  • each of the computing devices 422 includes a system bus facility 228, a data store facility 230, an input interface facility 232 and an output interface facility 234.
  • the data store facility 230 includes computer information in form of executable instructions and/or computer data.
  • the data store facility 230 is operatively connected to the processing facility 226.
  • the data store facility 230 is operatively connected to the memory facility 224.
  • the data store facility 230 is accessible by the processing facility 226 in implementing the preferred arrangements.
  • Computer information may be located across a number of devices and be provided in a number of forms.
  • the data store facility 230 may include computer information in the form of executable instructions and/or computer data.
  • the computer data information may be provided in the form of encoded data instructions, data signals, data structures, program logic for server side operation, program logic for client side operation, stored webpages and so forth that are accessible by the processing facility 226.
  • input interfaces allow computer data to be received by the computing devices 222.
  • input interfaces allow computer data to be received from individuals operating one or more computer devices.
  • Output interfaces on one level, allow for instructions to be sent to computing devices.
  • output interfaces allow computer data to be sent to individuals.
  • the input and output interface facilities 232, 234 provide input and output interfaces that are operatively associated with the processing facility 226. The input and output facilities 232, 234 allow for communication between the computing devices 222 and individuals.
  • the computing devices 222 provide a distributed system in which several devices are in communication over network and other interfaces to collectively provide the preferred arrangements.
  • the client device may be provided with a client side software product for use in the system which, when used, provides systems and methods where the client device and other computer devices 222 communicate over a public data network.
  • the software product contains computer information in the form of executable instructions and/or computer data for providing the preferred arrangements.
  • Input interfaces associated with keyboards, mice, trackballs, touchpad's, scanners, video cards, audio cards, network cards and the like are known.
  • Output interfaces associated with monitors, printers, speakers, facsimiles, projectors and the like are known.
  • Network interfaces in the form of wired or wireless interfaces for various forms of LANs, WANs and so forth are known.
  • Storage facilities in the form of floppy disks, hard disks, disk cartridges, CD-ROMS, smart card, RAID systems are known.
  • Volatile and non-volatile memory types including RAM, ROM, EEPROM and other data storage types are known.
  • Various transmission facilities such as circuit board material, coaxial cable, fibre optics, wireless facilities and so forth are known.
  • systems, components, facilities, interfaces and so forth can be provided in several forms.
  • Systems, components, facilities, interfaces and so forth may be provided as hardware, software or a combination thereof.
  • the present invention may be embodied as an electronics device, computer readable memory, a personal computer and distributed computing environments.
  • the present invention may be embodied as: a number of computer executable operations; a number of computer executable components; a set of process operations; a set of systems, facilities or components; a computer readable medium having stored thereon computer executable instructions for performing computer implemented methods and/or providing computer implemented systems; and so forth.
  • computer executable instructions they preferably encode the systems, components and facilities described herein.
  • a computer-readable medium may be encoded with one or more facilities configured to run an application configured to carry out a number of operations forming at least part of the present arrangements.
  • Computer readable mediums preferably participate in the provision of computer executable instructions to one or more processors of one or more computing devices.
  • Computer executable instructions are preferably executed by one or more computing devices to cause the one or more computing devices to operate as desired.
  • Preferred data structures are preferably stored on a computer readable medium.
  • the computer executable instructions may form part of an operating system of a computer device for performing at least part of the preferred arrangements.
  • One or more computing devices may preferably implement the preferred arrangements.
  • the term computer is to be understood as including all forms of computing device including servers, personal computers, smart phones, digital assistants, electronics devices and distributed computing systems.
  • Computer readable mediums and so forth of the type envisaged are preferably intransient. Such computer readable mediums may be operatively associated with computer based transmission facilities for the transfer of computer data. Computer readable mediums may provide data signals. Computer readable mediums preferably include magnetic disks, optical disks and other electric/magnetic and physical storage mediums as may have or find application in the industry.
  • Components, systems and tasks may comprise a process involving the provision of executable instructions to perform a process or the execution of executable instructions within say a processor.
  • Applications or other executable instructions may perform method operations in different orders to achieve similar results. It is to be appreciated that the blocks of systems and methods described may be embodied in any suitable arrangement and in any suited order of operation. Computing facilities, modules, interfaces and the like may be provided in distinct, separate, joined, nested or other forms and arrangements. Methods will be apparent from systems described herein and systems will be apparent from methods described herein.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Dans un mode de réalisation préféré de la présente invention représenté sur la Figure 1, l'invention concerne un procédé 10 mis en œuvre par ordinateur. Le procédé consiste à : (A) utiliser au moins un dispositif électronique mobile, chaque dispositif ayant une mémoire de données comprenant une première zone et une seconde zone ; la seconde zone étant distincte de la première zone en vue d'aider à la sécurisation de la première zone ; la première zone étant une zone de système et la seconde zone étant destinée à mémoriser des informations personnelles ; et (B) en connexion avec chaque dispositif électronique mobile : associer des informations personnelles à des informations d'identification informatique pour fournir des informations personnelles spéciales ; mémoriser les informations personnelles spéciales dans la seconde zone ; et récupérer les informations personnelles par : (i) lecture des informations personnelles spéciales contenues dans la seconde zone ; et (ii) application des informations d'identification informatique aux informations personnelles spéciales.
PCT/IB2018/051362 2017-03-03 2018-03-03 Systèmes et procédés informatiques WO2018158750A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
AU2018228454A AU2018228454B2 (en) 2017-03-03 2018-03-03 Computing systems and methods
US16/490,794 US20200004951A1 (en) 2017-03-03 2018-03-03 Computing systems and methods
EP18761164.5A EP3590060A4 (fr) 2017-03-03 2018-03-03 Systèmes et procédés informatiques

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
AU2017900748 2017-03-03
AU2017900748A AU2017900748A0 (en) 2017-03-03 Computing systems and methods

Publications (2)

Publication Number Publication Date
WO2018158750A1 true WO2018158750A1 (fr) 2018-09-07
WO2018158750A9 WO2018158750A9 (fr) 2018-11-01

Family

ID=63370625

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2018/051362 WO2018158750A1 (fr) 2017-03-03 2018-03-03 Systèmes et procédés informatiques

Country Status (4)

Country Link
US (1) US20200004951A1 (fr)
EP (1) EP3590060A4 (fr)
AU (1) AU2018228454B2 (fr)
WO (1) WO2018158750A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110263524A (zh) * 2019-08-05 2019-09-20 厦门亿力吉奥科技信息有限公司 一种移动设备加密u盾

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10990683B2 (en) 2018-05-25 2021-04-27 At&T Intellectual Property I, L.P. Virtual reality for security augmentation in home and office environments
US12099997B1 (en) 2020-01-31 2024-09-24 Steven Mark Hoffberg Tokenized fungible liabilities

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030017740A1 (en) * 2001-07-19 2003-01-23 Satoshi Watanabe Electrical connector
US20040123127A1 (en) * 2002-12-18 2004-06-24 M-Systems Flash Disk Pioneers, Ltd. System and method for securing portable data
US20050141717A1 (en) * 2003-12-30 2005-06-30 International Business Machines Corporation Apparatus, system, and method for sealing a data repository to a trusted computing platform
US20070180515A1 (en) * 2002-08-07 2007-08-02 Radoslav Danilak System and method for transparent disk encryption
US8683232B2 (en) * 2011-05-18 2014-03-25 Cpo Technologies Corporation Secure user/host authentication
US20160337347A1 (en) * 2013-03-15 2016-11-17 Airwatch Llc Secondary device as key for authorizing access to resources

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080082813A1 (en) * 2000-01-06 2008-04-03 Chow David Q Portable usb device that boots a computer as a server with security measure
US20060069925A1 (en) * 2002-03-29 2006-03-30 Shinichi Nakai Content processing device, content accumulation medium, content processing method and content processing program
US8931063B2 (en) * 2008-07-28 2015-01-06 Evan S. Huang Methods and apparatuses for securely operating shared host computers with portable apparatuses
US8286883B2 (en) * 2007-11-12 2012-10-16 Micron Technology, Inc. System and method for updating read-only memory in smart card memory modules
US8127146B2 (en) * 2008-09-30 2012-02-28 Microsoft Corporation Transparent trust validation of an unknown platform
US9715598B2 (en) * 2010-11-17 2017-07-25 Invysta Technology Group Automatic secure escrowing of a password for encrypted information an attachable storage device
US20130074178A1 (en) * 2011-09-15 2013-03-21 Sandisk Technologies Inc. Preventing access of a host device to malicious data in a portable device
US9183415B2 (en) * 2011-12-01 2015-11-10 Microsoft Technology Licensing, Llc Regulating access using information regarding a host machine of a portable storage drive
US9479335B2 (en) * 2015-01-14 2016-10-25 Paul Michael Zachey Encrypted mass-storage device with self running application

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030017740A1 (en) * 2001-07-19 2003-01-23 Satoshi Watanabe Electrical connector
US20070180515A1 (en) * 2002-08-07 2007-08-02 Radoslav Danilak System and method for transparent disk encryption
US20040123127A1 (en) * 2002-12-18 2004-06-24 M-Systems Flash Disk Pioneers, Ltd. System and method for securing portable data
US20050141717A1 (en) * 2003-12-30 2005-06-30 International Business Machines Corporation Apparatus, system, and method for sealing a data repository to a trusted computing platform
US8683232B2 (en) * 2011-05-18 2014-03-25 Cpo Technologies Corporation Secure user/host authentication
US20160337347A1 (en) * 2013-03-15 2016-11-17 Airwatch Llc Secondary device as key for authorizing access to resources

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "Reading /dev/urandom as early as possible", 16 October 2015 (2015-10-16), pages 1 - 4, XP055635453, Retrieved from the Internet <URL:https://stackoverflow.com/questions/33153010/reading-dev-urandom-as-early-as-possible> [retrieved on 20180605] *
See also references of EP3590060A4 *
WPSCHULZ: "Hard drive Installation", KNOPPIX DOCUMENTATION WIKI, 15 December 2016 (2016-12-15), XP055538590, Retrieved from the Internet <URL:http://knoppix.net/wiki3/index.php?title=Category:Hard_drive_Installation&oldid=9875> [retrieved on 20180530] *
ZLATANOV, N.: "Hard Disk Drive and Disk Encryption", IEEE COMPUTER SOCIETY, 21 March 2016 (2016-03-21), XP055538595, Retrieved from the Internet <URL:https://www.researchgate.net/publication/299282101> [retrieved on 20180605] *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110263524A (zh) * 2019-08-05 2019-09-20 厦门亿力吉奥科技信息有限公司 一种移动设备加密u盾

Also Published As

Publication number Publication date
WO2018158750A9 (fr) 2018-11-01
EP3590060A4 (fr) 2020-11-11
EP3590060A1 (fr) 2020-01-08
US20200004951A1 (en) 2020-01-02
AU2018228454B2 (en) 2023-02-09
AU2018228454A1 (en) 2019-10-17

Similar Documents

Publication Publication Date Title
US11917075B2 (en) Multi-signature security account control system
US9735962B1 (en) Three layer key wrapping for securing encryption keys in a data storage system
JP6165883B2 (ja) 安全な仮想マシン移行
US10230693B2 (en) Safechannel encrypted messaging system
US10122713B2 (en) Method and device for the secure authentication and execution of programs
EP3427178B1 (fr) Partage sécurisé de fichiers sur de multiples domaines de sécurité et réseaux de communication dispersés
US20210409205A1 (en) Stateless service-mediated security module
US20140075502A1 (en) Resource management of execution environments
US7861015B2 (en) USB apparatus and control method therein
US11641271B2 (en) Control method, non-transitory computer-readable storage medium, and information processing apparatus
US20150067793A1 (en) Method for Secure, Entryless Login Using Internet Connected Device
CN109804598B (zh) 信息处理的方法、系统及计算机可读介质
US20140237262A1 (en) System and method for establishing perpetual trust among platform domains
JP2016531508A (ja) データセキュアストレージ
KR20200118303A (ko) 월렛 앱이 설치된 소유 디바이스 및/또는 블록체인 노드에 키를 분산 저장하는 비밀 키 보안 방법
US20160189138A1 (en) Alternative account identifier
US9563773B2 (en) Systems and methods for securing BIOS variables
AU2018228454B2 (en) Computing systems and methods
US20220286291A1 (en) Secure environment for cryptographic key generation
CN110059473A (zh) 应用账户登录方法、装置、计算机设备及计算机存储介质
CN114244565A (zh) 密钥分发方法、装置、设备、存储介质和计算机程序产品
KR20210022992A (ko) 전자지갑의 해킹 방지를 위한 개인키 보안 강화 시스템
JP2020191552A (ja) シェア分散システムおよび方法
KR102005974B1 (ko) 가상머신을 이용한 전자콘텐츠 보호 시스템 및 방법
US20240129140A1 (en) Mutual authentication in edge computing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18761164

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2018761164

Country of ref document: EP

Effective date: 20191004

ENP Entry into the national phase

Ref document number: 2018228454

Country of ref document: AU

Date of ref document: 20180303

Kind code of ref document: A